Questions on Unix & Linux Stack Exchange are expected to relate to Unix or Linux within the scope defined by the community. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about reopening questions here.
If this question can be reworded to fit the rules in the help center, please edit the question.

I knew who wrote this just from the title. I don't know why you keep posting DNS stuff here, but this isn't Unix/Linux specific at all. Personally I think it's a decent question, but it's not on-topic here, and I don't think we have another site in the network that wants it
–
Michael Mrozek♦Nov 11 '11 at 14:54

Is this really offtopic here? Considering probably 90% of the worlds DNS servers run on unix/linux? Perhaps the question could have be reworded: "How can I configure my DNS server to answer recursive queries, and why should I avoid dong this?" but is that really "offtopic?" Just curious.
–
gabe.Dec 5 '11 at 21:54

It could arguably be considered a better fit on security.stackexchange.com, but I don't see any real reason to reject it here outright...
–
ShadurDec 6 '11 at 8:01

2 Answers
2

TL;DR: Recursive queries are part of the way the internet and DNS work,
but not all DNS servers should be receiving recursive queries, and when
the ones that shouldn't respond do respond you can get problems.

Longer version:

Recursion, n: See under Recursion.

A recursive DNS query happens when the DNS server you asked for the address of, say, unix.stackexchange.com doesn't know the answer itself, so it has to check with another server.

Normally this is actually how DNS works -- the DNS server of your ISP does not have the entire internet's domain records permanently memorized for obvious reasons, so the following exchange happens under the hood:

Hi there, ns2.serverfault.com, can you tell me where to find
unix.stackexchange.com?

ns2.serverfault.com: Sure thing! That's address 64.34.119.12

ISP's DNS server: Great, thanks!

OS, the number you're looking for is 64.34.119.12.

OS: Great, thanks!

Browser, you need address 64.34.119.12

Browser: Great, thanks!

Okay, calling up the page now.

You: Yay, thanks Browser!

Now bear in mind that there are actually two types of name servers
queried here -- authoritative DNS servers (the so called "root"
servers that told your ISP's DNS server where to find SE.com's DNS
server, and SE.com's authoritative DNS server) and recursing or
forwarding DNS servers (your ISP's DNS server).

Normally, the former type is not supposed to respond to recursive
queries, especially not from outside their own domain. Smaller ISPs
sometimes save on costs by having their primary authoritative name
server be the same server as their primary forwarding nameserver,
but that's somewhat unsafe policy - especially if you don't configure
your server to refuse recursive queries from outside your own IP
range.

If there are 2 DNS servers, DNS-A is the authority for domain-a, and DNS-B is the authority for domain-b, and someone sends a DNS query to DNS-A for a lookup of domain-b. DNS-A would then be recursing by sending a request to DNS-B in order to lookup domain-b. Essentially, a recursive query is when a DNS server, on behalf of the client that sent the query, chase the trail of DNS in order to fulfill the request.

This is fine if you are hosting a DNS server for a network, like an office and all the machines in that office will use the DNS server to do all lookups. This is bad if you are allowing anyone to do DNS recursive queries. This is also bad if you are hosting a DNS server that is only supposed to fulfill requests for a certain domain. If someone requests a lookup for another domain, the DNS server should return an error instead of doing recursion.